Another heap overflow in PCRE (similar to 1250943) was found. Taken from https://bugs.exim.org/show_bug.cgi?id=1672 : """ Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression. /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/ A dry run of this particular regular expression with pcretest will reports "double free or corruption (!prev)". But it is actually a heap overflow problem. It is a similar problem as https://bugs.exim.org/show_bug.cgi?id=1667 discussed. Following test is conveyed with svn updated version of pcre, Here is the memory layout of re(its size is 248) just before the second compile_regexp(): ============================================================== (gdb) x/256b 0x1f8a8a0 0x1f8a8a0: [0x45 0x52 0x43 0x50 0xf8 0x00 0x00 0x00 0x1f8a8a8: 0x00 0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x1f8a8b0: 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x1f8a8b8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a8c0: 0x00 0x00 0x40 0x00 0x04 0x00 0x05 0x00 0x1f8a8c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a8d0: 0x50 0xaf 0xf8 0x01 0x00 0x00 0x00 0x00 0x1f8a8d8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a8e0: 0x00 0x02 0x52 0x00 0x00 0x04 0x52 0x00 0x1f8a8e8: 0x00 0x05 0x52 0x00 0x00 0x03 0x52 0x00 0x1f8a8f0: 0x00 0x01 0x52 0x00 0x00 0x00 0x00 0x00 0x1f8a8f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a900: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a908: 0xc0 0x91 0x34 0xf7 0xff 0x7f 0x00 0x00 0x1f8a910: 0xff 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x1f8a918: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a920: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a928: 0x80 0xa9 0xf8 0x01 0x00 0x00 0x00 0x00 0x1f8a930: 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x1f8a938: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a940: 0x90 0xa9 0xf8 0x01 0x00 0x00 0x00 0x00 0x1f8a948: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a950: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a958: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a960: 0xff 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x1f8a968: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a970: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a978: 0xa0 0x76 0x34 0xf7 0xff 0x7f 0x00 0x00 0x1f8a980: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a988: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a990: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00] 0x1f8a998: 0x41 0x01 0x00 0x00 0x00 0x00 0x00 0x00 ============================================================== After the second compile_regexp: ============================================================== (gdb) x/192b 0x1f8a8a0 0x1f8a8a0: [0x45 0x52 0x43 0x50 0xf8 0x00 0x00 0x00 0x1f8a8a8: 0x00 0x00 0x00 0x00 0x00 0x04 0x00 0x00 0x1f8a8b0: 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0x1f8a8b8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a8c0: 0x00 0x00 0x40 0x00 0x04 0x00 0x05 0x00 0x1f8a8c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a8d0: 0x50 0xaf 0xf8 0x01 0x00 0x00 0x00 0x00 0x1f8a8d8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x1f8a8e0: 0x00 0x02 0x52 0x00 0x00 0x04 0x52 0x00 0x1f8a8e8: 0x00 0x05 0x52 0x00 0x00 0x03 0x52 0x00 0x1f8a8f0: 0x00 0x01 0x52 0x00 0x83 0x00 0xa6 0x83 0x1f8a8f8: 0x00 0xa0 0x83 0x00 0x8d 0x81 0x00 0x87 0x1f8a900: 0x85 0x00 0x81 0x00 0x01 0x1d 0x3a 0x83 0x1f8a908: 0x00 0x56 0x85 0x00 0x05 0x00 0x02 0x78 0x1f8a910: 0x00 0x05 0x81 0x00 0x48 0x85 0x00 0x42 0x1f8a918: 0x00 0x03 0x18 0x83 0x00 0x1e 0x85 0x00 0x1f8a920: 0x05 0x00 0x04 0x78 0x00 0x05 0x81 0x00 0x1f8a928: 0x10 0x85 0x00 0x0a 0x00 0x05 0x73 0x00 0x1f8a930: 0x00 0x00 0x05 0x78 0x00 0x0a 0x78 0x00 0x1f8a938: 0x10 0x77 0x00 0x13 0x85 0x00 0x0d 0x00 0x1f8a940: 0x04 0x85 0x00 0x05 0x00 0x05 0x78 0x00 0x1f8a948: 0x05 0x78 0x00 0x0d 0x78 0x00 0x31 0x1d 0x1f8a950: 0x6b 0x1d 0x27 0x1d 0x52 0x1d 0x27 0x78 0x1f8a958: 0x00 0x42 0x78 0x00 0x48 0x77 0x00 0x13 0x1f8a960: 0x85 0x00 0x0d 0x00 0x02 0x85 0x00 0x05 0x1f8a968: 0x00 0x03 0x78 0x00 0x05 0x78 0x00 0x0d 0x1f8a970: 0x78 0x00 0x69 0x1d 0x48 0x1d 0x27 0x1d 0x1f8a978: 0x41 0x1d 0x6b 0x1d 0x27 0x1d 0x52 0x1d 0x1f8a980: 0x66 0x78 0x00 0x81 0x78 0x00 0x87 0x77 0x1f8a988: 0x00 0x0d 0x1d 0x73 0x85 0x00 0x05 0x00 0x1f8a990: 0x01 0x78 0x00 0x05 0x78 0x00 0x9a 0x78] 0x1f8a998: 0x00 0xa0 0x78 0x00 0xa6 0x00 0x00 0x00 ============================================================== At least 5 more bytes are written to the heap. """ CVE request: http://www.openwall.com/lists/oss-security/2015/08/24/1 Upstream patch: http://vcs.pcre.org/pcre?view=revision&revision=1594
Created pcre tracking bugs for this issue: Affects: fedora-all [bug 1256452]
Created mingw-pcre tracking bugs for this issue: Affects: fedora-all [bug 1256453] Affects: epel-7 [bug 1256454]
Statement: (none)
pcre-8.37-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14229
pcre-8.37-4.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14235
pcre-8.35-14.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14242
pcre-8.37-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update pcre'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14229
pcre-8.35-14.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update pcre'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14242
pcre-8.37-4.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update pcre'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14235
pcre-8.37-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
pcre-8.37-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
pcre-8.35-14.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
*** This bug has been marked as a duplicate of bug 1287711 ***